lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: dornseif at informatik.rwth-aachen.de (Maximillian Dornseif)
Subject: Advisory: SQL-Injection in CitrusDB

                      Advisory: SQL-Injection in CitrusDB

A group of students at our lab called RedTeam found an SQL-Injection  
vulnerability in CitrusDB.

Details
=======

Product: CitrusDB
Affected Version: 0.3.6 (verified), probably <= 0.3.5, too
Immune Version: none
OS affected: all
Security-Risk: low
Remote-Exploit: no
Vendor-URL: http://www.citrusb.org
Vendor-Status: informed
Advisory-URL:  
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-004
Advisory-Status: public
CVE: CAN-2005-0410  
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0410#)

Introduction
============

Description from vendor: "CitrusDB is an open source customer database
application that uses PHP and a database backend (currently MySQL) to  
keep
track of customer information, services, products, billing, and customer
service information."

CitrusDB does not filter special characters (e.g. single quotes) from
uploaded csv files.

More Details
============

In ./citrusdb/tools/importcc.php data from a previous uploaded csv file  
is
inserted into the mysql database but none of the values is filtered.

Proof of Concept
================

A csv file with content

',,,,,

makes the SQL-Query in ./citrusdb/tools/importcc.php fail.

Workaround
==========

Check csv files manually for single quotes before upload.

Fix
===

n/a

Security Risk
=============

The security risk is rated low because only special users may upload csv
files and with this SQL injection it is only possible to inject data  
that
could be easier injected directly through csv file.

History
=======

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0410

RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find  
more
Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/

-- 
Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2432 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050214/de55f315/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ